Mitigation of JavaScript-Based Fingerprinting Attacks Reliant on Client Data Generation
Presenter(s)
Nathan Joslin
Files
Description
Although fingerprinting methods are currently used by fraud detection companies as a secondary form of identification, they can just as easily be used maliciously. By nature, fingerprinting reveals software and hardware information that malicious attackers may use to their advantage. Attackers with access to this sensitive information may target users running a software version known to have vulnerabilities, silently track a user’s activity across the web, or even reveal a user’s identity. Additionally, fingerprinting is silent and often done without the user knowing their fingerprint is being collected. As a result, it is nearly impossible for average users to opt out of or block fingerprinting attacks.In this thesis, we leverage the MyWebGuard browser extension developed by Phung et al. to enforce dynamic policies on web pages that engage in device fingerprinting. MyWebGuard implements an Inline Reference Monitor (IRM) to supervise the JavaScript operations carried out on web pages. Three types of JavaScript operations are monitored: method calls, object creation and access, and property access. When these operations are executed the IRM intercepts them, allowing for policy enforcement. As this policy enforcement mechanism monitors JavaScript operations, it is an excellent method to mitigate JavaScript-based fingerprinting. In this work, we will focus on monitoring dynamic fingerprinting methods that rely on generating unique data rather than collecting static attributes. As for the mitigation approach, we chose a randomization method rather than normalization or domain-based blocking. This “moving target” approach is intended to constantly change a given device’s fingerprint over time, making it increasingly difficult for malicious actors to track a device across the web. Further motivation behind this mitigation method is to limit major site breakage, a phenomenon common with current anti-fingerprinting technologies, while protecting user privacy.
Publication Date
4-19-2023
Project Designation
Honors Thesis
Primary Advisor
Phu Phung, Ahmed El Ouadrhiri
Primary Advisor's Department
Computer Science
Keywords
Stander Symposium, College of Arts and Sciences
Institutional Learning Goals
Scholarship; Vocation; Community
Recommended Citation
"Mitigation of JavaScript-Based Fingerprinting Attacks Reliant on Client Data Generation" (2023). Stander Symposium Projects. 2792.
https://ecommons.udayton.edu/stander_posters/2792
Comments
Presentation: 10:40-11:00 a.m., Jessie Hathcock Hall 101